corinthia-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dennis E. Hamilton" <>
Subject RE: [DISCUSS][PRE-VOTE] Release candidate 0.1
Date Fri, 14 Aug 2015 18:54:48 GMT
I am failing to be clear about something.

Of course I am on the project.

And I am reviewing a release candidate.

My review is from the perspective of what a third party needs to know in order to obtain and
use the release candidate, were it approved as a release. 

Isn't that the purpose of such review?  To assess what they will find and its nature with
regard to Apache Project practices, etc.

I do not need to be taught how to add a public key to my key ring, or how to find Jan's key
on the list of Apache committer's keys.

My question is as a reviewer, applying my beginner's mind as well as I can. I assume the third
party is not on our dev@ list and is responding to an announcement of the availability of
an incubator release.  I do not want to rely on tacit knowledge or what I could figure out
as a knowledgeable participant on ASF Projects.  We're talking about something made available
to the public.

Is that understandable, now?

 - Dennis

-----Original Message-----
From: Peter Kelly [] 
Sent: Friday, August 14, 2015 10:42
Subject: Re: [DISCUSS][PRE-VOTE] Release candidate 0.1

> On 15 Aug 2015, at 12:34 am, Dennis E. Hamilton <> wrote:
> I think it looks good to you because you signed it and you have the public key.
> I obviously do not have the public key of the signer.
> Furthermore, nowhere am I told that I need yours.  I am reviewing this as someone who
is not on the project.  

My understanding is that you *are* on the project - these release candidates are intended
for people who are on the project.

Even if someone were not on the project, I don’t think it’s an unreasonable stretch to
assume that Jan is the signer, or that at minimum a verification could be attempted using
his public key.

[ ... ]

View raw message